NSIS Media Popups

Discussion in 'malware problems & news' started by littlebits, Jul 7, 2006.

Thread Status:
Not open for further replies.
  1. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,531
    Location:
    British Columbia
    Thanks to everyone especially 'Pieter' for contributing to a solution in removing this nasty. Question if i may.

    Pieter

    Is there anything else that needs to be done- i.e.- Deletion of files, folders, etc. before or after running your script.

    Thanks.
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi tobacco,

    Hard to tell untill we have tried it on a live infection.
    I do not know in which processes the dll gets injected.
    If it is only explorer and iexplore then the script should work without any special preparations.
    (Ofcourse it's always advisable to close as many programs as possible)

    Regards,

    Pieter
     
  3. LonnyRJones

    LonnyRJones Spyware Expert

    Joined:
    Apr 3, 2003
    Posts:
    61
    It loads under explorer, and any exe it wants to.

    We need samples and more info on what it is that installs this thing.
    the programs mentioned here and eslwhere dont anymore or it could be it wont on virtual machines
     
  4. LP-Listener

    LP-Listener Registered Member

    Joined:
    Oct 19, 2006
    Posts:
    1
    Location:
    Netherlands
    This is my result:

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}" 19-10-2006 21:52:56



    [HKEY_USERS\S-1-5-21-1004336348-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
    "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4} {000214E8-0000-0000-C000-000000000046} 0x401"=hex:01,\

    jan
     
  5. Irma

    Irma Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    3
    Re: NSIS Media Pop-ups

    I finally found the apparent source of NSIS.
    It comes from Nullsoft, in my case with the Winamp player. It is a plug-in of sorts. After I uninstalled Winamp, rebooted, all my scans and searches came out negative. It still did not come back.

    If anyone is interested , here is the URL for the NSIS download and description of it;
    http://nsis.sourceforge.net/EclipseNSIS_-_NSIS_plugin_for_Eclipse

    http://nsis.sourceforge.net/Support

    plus
    http://nsis.sourceforge.net/Main_Page"
    Spyware Terminator Homepage

    Search

    Search in our database
    Search in the web

    Homepage
    Software Database
    N
    Nullsoft, Inc.
    Nullsoft, Inc.
    Software Developer Detail
    Info: Nullsoft, Inc. develops one of the most popular media players - Winamp and plug-ins for it. Its other products include SHOUTcast - media streaming and directory system, NTV - global streaming television, NSIS - installer system for Windows, JNetLib - asynchronous C++ network abstraction library, NetMon - network latency monitor for Windows nad other open source software.
    URL: http://www.nullsoft.com
    Phone: 703-265-0094

    Maybe this can shed some light on this.
     
  6. LonnyRJones

    LonnyRJones Spyware Expert

    Joined:
    Apr 3, 2003
    Posts:
    61
  7. Irma

    Irma Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    3
    Hi,
    all I know is, that after uninstalling Winamp player, cleaning the registry of the left over keys, all my scans came out negative, no more traces and keys and files found, and most important of all, NO MORE POP UPS!

    Since then, I restarted my pc at least 10 times, and just in case did the scans,and I am still negative, and my computer is running just fine.
     
  8. pwp007

    pwp007 Registered Member

    Joined:
    Oct 31, 2006
    Posts:
    1
    Location:
    BC, Canada eh?
    For what it's worth - I tried something completely different to trick this one sinec no 2 people seem to be having the same luck in getting this thing.....

    1. First I went to Program Files\Common Files\NSIS Media then I deleted the 2 files in the directory.

    2. Then I went to START -> RUN -> Regedit <ENTER> then I searched for NSIS and deleted the registry key.

    3. Then I went back to Program Files\Common Files, made the NSIS Media directory (now empty) Hidden and Read Only.

    4. Then I went into the directory and creates a ns00.dll empty (0 kb) file and an unist.exe empty (0 kb) file.

    5. Then I replicated the ns00.dll file 100 times and renamed them in sequence until I had ns00.dll through ns100.dll completed.

    6. Then I made all files in the directory Hidden and Read Only.

    7. Rebooted the computer and went back to check Regedit and the Program Files\Common Files directories to make sure nothing changed.

    8. Thats it (took about 30 mins to complete since creating blank DLL and EXE files prooved tricky (Those not sure can create a blank text file by the correct name, go to Command Prompt mode (CMD), use CD PROGRA~1 then CD COMMON~1 then CD NSIS, then RENAME *.txt *.dll, then DIR to make sure they look right.

    It seems to work for me anyhow....
     
  9. Mcgruff

    Mcgruff Registered Member

    Joined:
    Nov 17, 2006
    Posts:
    1

    This worked for me!!! I got it from a CNET download "Classic Arcade Pack" from Openwares.org... I removed that first, then I removed the NSIS and crashed the system at the click OK prompt... Seems to have done the trick. :D thx Sammy
     
  10. ninja9

    ninja9 Registered Member

    Joined:
    Nov 27, 2006
    Posts:
    1
    had anyone try stopzilla.........http://www.stopzilla.com/

    i haven't try the registered version so it full functioning to the removal but it seems this program can detect nsis media as an malware............

    i was infected and did these for removal...

    1. uninstall nsis media from add and remove

    2. delete the nsis registry key using registry editor

    3. scan using trojan hunter.. did found trojan.. (my mcafee antivirus running in the background keep telling that there are viruses in folder /localsetting/temp... but it is not there.. i don't know about this)

    4. delete the chrome folder..........and install the firefox again...

    ... now my firefox run normally....
     
    Last edited: Nov 27, 2006
  11. LonnyRJones

    LonnyRJones Spyware Expert

    Joined:
    Apr 3, 2003
    Posts:
    61
  12. novi

    novi Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    2
    Nice info LonnyRJ.Spybot cleared it,or i hope that it's removed now coz the results of scanning are "negative" on this junk :D .Thats why i posted reply here,I just want to be sure is it totally removed from pc.Is there someone who used spybot few days or weeks ago,i would like to hear does it come back (that junk) after some timeo_OI read here that this softver was made for spying credit card codes in online shoping.Is it safe now to use cards for online shoppingo_OThanks Lonny once again,and thanks in advance if someone answer.
     
  13. Longboard

    Longboard Registered Member

    Joined:
    Oct 2, 2004
    Posts:
    3,238
    Location:
    Sydney, Australia
    A bit OT:

    Been watching here;
    Always interesting to me that SB seems to perform poorly on "magazine tests", yet all the peeps who have some expertise regard it as a great tool.

    There is a message there ;)

    (As an aside I recently registered at one magazine 'Webuser' forum who had given very positive reviews about PrevX and Spysweeper.
    I actually recently dumped SS but am licensed PX member.
    I wrote posts scathingly critical of both utilities and lo and behold both posts were pulled without notice or explanation o_O )
     
  14. LonnyRJones

    LonnyRJones Spyware Expert

    Joined:
    Apr 3, 2003
    Posts:
    61
    Novi

    Nsis is relatively harmless, only does popups as far as i know,
    It seams to be on a timer, so if its no completely gone, (should be) it will come back in a week or two.
    From what Ive see it only gets installed with supposedly free software
    That IS mentioned (this software is brought to you by NSIS media, or similar notice), you'd have to agree to have it installed.
    As littlebits mentions earleyer in this thread

    Longbourd
    SpyBot S&D
    Ad-Aware
    avg antispyware
    prevx
    Spysweeper
    windows defender
    all good programs, unfortunatley we need more than one.
     
  15. novi

    novi Registered Member

    Joined:
    Nov 29, 2006
    Posts:
    2
    Thank you Lonny for your answer :) .I tought that its much more dangerous by the reviews I read here,but if you say that its harmless I'll take your opinion then.Mmm,week or two you said (b4 popups again start to show up) if its not completely removed from system.So,since yesterday no popups again,one day without that scum is success for me :) .Just in case,I removed firefox 1.508,codecs and filters for video-audio streaming and some games i downloaded like freeware in past days (all that seems to be potentially entries of Nsis on system).I hope that its gone for ever,but if it shows up again I'll post reply here,so that we could continue fight against it :) :).
     
  16. stevenf12801

    stevenf12801 Registered Member

    Joined:
    Dec 10, 2006
    Posts:
    1
    This NSIS seemed to be such a problem, with both Firefox & IE, IE I couldn't even open up. The big hammer on for Firefox to generate this, I think is wrong. Symantic had known about this since 3/21/05, where in another forum others think it's a newbe. Spybot located and removed it but obvious as to others it came back. I removed Ad-aware, and nullsoft (is associated with NSIS) also winamp.... removed it manually in regedit, through program files, ad remove programs...with the ns** file #'s changing on it's return. Cleaned the registry with numerous cleaners, it still came back...even "crashed" the system by unpulgging after a 'cleaning'. Still returned! Going to my computer\program files\common files\ I opened the folder NSIS to a ns**file and a uninst.exe...I clicked on uninst.exe, it opened to uninstall, I went for it...that's all it took to clean it out!!! Simple! I went through in regedit, there was a folder there, removed it, checked program file\common file...it's gone, also ad-remove, gone!!! Cleaned the registry, and Halleluyah!!! Cleaned!!! IE opened right up!!! I've seen where others had it easy removal also....I didn't read all the postings in this forum. So may the nightmare not continue! Steve
     
  17. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    786
    Location:
    West Virginia (USA)
  18. PaulBB

    PaulBB Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    722
    the NSIS Media Uninstaller by NSIS Media himself:
    hxxp://nsismedia.net/uninstall/
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.